FACTA Red Flags: Program Checklist

Article Red Flags Rule
FACTA Red Flags


In 2003, the U.S. Congress enacted the Fair and Accurate Credit Transaction Act (or FACTA), requiring creditors to adopt policies and procedures to prevent identity theft. These policy and procedure requirements became known as the Red Flags Rule in 2007, and are now enforced by the Federal Trade Commission, along with other government agencies such as the National Credit Union Administration, to regulate the way organizations handle consumer information.

The Red Flags Rule is intended to prevent identity theft and, in order to comply, organizations are required to implement an Identity Theft Prevention Program and provide “Red Flag” training to all employees who handle consumer data.

The Red Flags Rule applies to a very broad list of organizations, including financial institutions and creditors with covered accounts. Simply accepting credit cards as a form of payment does not make you a “creditor” under the Red Flags Rule. But, if your organization arranges credit for customers, or extends credit by selling goods to customers and billing them later, it is considered a “creditor” and must comply. A covered account includes any account for which there is a foreseeable risk of identity theft, for example, social security numbers, driver’s license numbers, medical insurance accounts, credit card numbers, etc.

The FTC can bring cases against any organization that engages in unfair or deceptive practices involving inadequate protection of consumers’ personal data.

Has your organization formally addressed the FACTA Red Flags Rule? Below is a quick checklist that will help you establish your program:


Identify all accounts that are at risk for identity theft and the departments/areas where that information can be accessed. In higher education environments, these are typically the same areas that have been identified as in-scope for GLBA and/or PCI. Verify what personal information your organization has and where it is stored (i.e., within files, on computers, portable devices, employee laptops, etc.). It is also important to consider remote locations as more and more staff continue to work from home and need to access services remotely. When trying to determine if data is considered identifiable information or not, you can ask yourself if the attributes could be used to steal an identity. Trace the flow of information from data entry to disposal and document who has access to that information and when.


Identify any potential Red Flags associated with new or existing covered accounts. Red Flags are defined as suspicious information or activities that suggest the possibility of thieves using an individual’s personally identifiable information (PII) to commit fraud. Through a regular risk assessment process, identify any possible red flags (i.e., suspicious documents, inconsistent personal information, suspicious activities, address discrepancies, alerts/notices, etc.), and document how they are currently being addressed, including the protections that are in place to reduce risk.


Under the Red Flags Rule, organizations are required to establish a written Identity Theft Prevention plan adequate for their size and operation. The plan should include procedures to detect, prevent, and respond to the red flags, or patterns, practices, or specific activities that may indicate identity theft. The program must be approved by the organization’s board of directors or appointed committee, and it must be updated regularly to address changes in risk. The organization should have a formal document that describes the Identity Theft Prevention Program, the identified red flags, controls that have been implemented, required training, etc.


Organizations are required to implement training for all staff handling this protected information on how to identify red flags and how they should respond. For example, staff in the student enrollment department may require a user’s photo ID to verify identity before proceeding. It is important staff understand this requirement and its enforcement, as well as what to do if a customer says they cannot provide the requested identification. Similar to other compliance standards, FACTA Red Flags training is recommended for all new hires to a department where at-risk data is handled or stored, and then at least annually for all staff in those relevant areas.


FACTA also requires organizations to verify all third-party service providers/vendors remain compliant with the Red Flags Rule and are performing activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Your organization’s contract terms should require that service providers have such policies and procedures in place. In the contract, you can also state that service providers must report any Red Flags to your organization. Make each department/area responsible for performing a periodic audit to ensure service provider compliance and verify that no unauthorized individuals have access to personally identifiable information.

Your organization’s Red Flags Program should continuously evolve based on lessons learned and experiences with fraud and identity theft, changes in the types of services and accounts offered, and new methods used to detect and mitigate identity theft. Ensure your program is updated periodically to reflect changes in risks.

For a sample Identity Theft Prevention Program document, as well as a more comprehensive list of red flags, reach out to your dedicated CampusGuard Customer Advocate team.

Additional guidance from the Security Advisor Team is below:

[Hobby]: The Fair and Accurate Credit Transaction Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) and is often referred to as the “Red Flags Rule.” FCRA regulates the collection, use, and release of consumer credit information in credit reports by consumer reporting agencies while FACTA focuses on consumer information privacy, accuracy, and identity theft protection.

A red flag is a pattern, practice, or activity that indicates the possibility of identity theft. Red flags typically fall into one of four categories:

  1. Alerts and notifications from reporting agencies and third parties
  2. Presentation of suspicious documents or identifying information
  3. Unusual or suspicious account activity
  4. Notices from customers, victims, or law enforcement agencies

Financial institutions, including colleges and universities, are required to have a program to monitor for red flags to detect and prevent identity theft. Like other security and privacy initiatives, protecting against identity theft demands a documented program, regular training, and continuous monitoring integrated into regular business practices. It can be annoying to answer “secret” questions to verify your identity when making account inquiries and changes, but it’s helping to protect you and your customers from identity theft.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.